Global Cyber Executive Briefing

E-Commerce & Online payments

As more and more businesses move or expand from bricks to clicks, criminals are following suit. Many e-commerce websites are directly connected both to the internet and to a company’s back-end systems
for data processing and supply management, making the website a prime attack point for gaining access to crucial information assets within the organization.

Explore Content

One of the most common attacks in this sector is a database breach (case #1). Often, such attacks result in a loss of customer data, including names, physical addresses, phone numbers, e-mail addresses and payment information. Since trust is especially important in e-commerce, the loss of customer data can be very damaging to an online company’s reputation and business performance. This is true even if the attacker is an unsophisticated “script kiddie” who is just showing off for friends or messing around for fun. Also, the impact of a breach can go far beyond reputation damage, depending on where in the world it occurred. A number of US states have already instituted breach notification laws, and the EU is expected to follow shortly. Such laws require organizations to come forward and publically admit they were breached. The EU directive also includes heavy fines.

Online payment systems are another vulnerable area that is often attacked. The ability to accept payment is critically important for online businesses, since it is one of the last steps in a customer’s purchase journey. As such, the financial impact of a payment system attack can be enormous, depending on its duration. After all, if customers can’t pay, they can’t buy. Most e-commerce sites outsource payment processing to a variety of third-party providers that promise high availability of their payment services. However, these providers are increasingly being targeted with denial-of-service attacks, particularly by hacktivists that want to disrupt an organization in a highly visible way (case #2).

Payment-related attacks are also appealing to criminals looking for financial gain. Saving a customer’s credit card data in an internal database might seem like a good way to make the shopping process more convenient, but it creates an attractive target for cybercriminals. Payment processing vendors are even more attractive to attack, since the potential for a big score is much greater. In the brick-and-mortar world, cyber-criminals have developed a variety of techniques for skimming credit cards at Point of Sale (POS) terminals and ATMs. Also, they have developed a wide range of attack vectors targeted directly at online payment vendors. Some of the most sophisticated attacks use a combination of online and traditional physical techniques to increase their effectiveness. (case #3)

Attacks on a payment vendor can be just as damaging to a company’s reputation as attacks that target the business directly, since most customers don’t see a distinction between an organization and its service providers.

Lost customer data leads to lost trust

Organization

An e-commerce company that operates daily deals websites in numerous countries.

Scenario

Hackers breached the security of the organization’s computer system, resulting in unauthorized access to customer data.

Attackers and motivation

The attackers were most likely after customer credit card data to sell on the black market.

Techniques used

SQL Injection, which is the most common form of attack for websites and web applications, was most likely used for this breach. However, other entry methods cannot be ruled out, including a more sophisticated cross-site scripting attack, or perhaps exploitation of a flaw in the web application that might have resulted from poor testing.

Business impact

More than 50 million usernames, hashed passwords and e-mail addresses were stolen, badly damaging the company’s reputation. And because customer data was involved, the organization was required to report the breach, which attracted attention from the media. The incident received worldwide press coverage, both in newspapers and on television. What’s more, loss of personal data resulted in a loss of customer trust, which is especially critical for e-commerce companies. This almost certainly had a negative impact on revenue.

Case 1

Hacktivists strike back with a vengeance

Organization

A very large financial services firm whose core global business is processing credit card transactions.

Scenario

A popular protest turned into cyber-terrorism with a call–to-action from a politically motivated hacker collective. Together, thousands of people initiated a large denial-of-service attack on the company’s network, making its services unavailable to clients.

Attackers and motivation

The attack was motivated by the company’s decision to block payments to a well known website based on claims that the site’s activities were illegal. This decision caused a worldwide commotion among the website’s supporters. Popular support for the cause -- combined with low technical requirements to participate -- resulted in a large-scale attack.

Techniques used

To make the attack as successful as it was, the hackers recruited a large numbers of volunteers to help. All participants installed special attack software on their computers, which together formed a single large botnet. The software was specifically designed to perform a large distributed denialof-service attack (DDoS) on the company’s network. Instructions were sent via chat telling all of the computers in the botnet to start attacking the company’s network. Due to the large number of people involved in the attack, the company’s payment services quickly became unavailable or highly inaccessible for 10 hours.

Business impact

Direct costs of the attack have been estimated at more than $3 million. But the incident’s overall impact was even greater, showing how cyber-protests could be used to damage organizations and influence their behavior. Since the attack, other organizations within the sector have been targeted for protest by the same group.

Case 2

Thieves use stolen data to create their own credit cards

Organization

Scenario

A group of criminals broke into the company’s systems and over the course of a year stole magnetic stripe data for approximately 7 million credit cards. They then created fake credit cards by programming the stolen data onto cheap prepaid cards, which were later used to purchase expensive items such as computers and televisions.

Attackers and motivation

The attackers were motivated by financial gain. The careful target selection and sophisticated techniques used for the attack suggest the involvement of a well organized cyber-criminal group.

Techniques used

Attackers infiltrated a crucial part of the payment processing infrastructure containing magnetic stripe data, which was then exported to create duplicate credit cards that were later used for fraudulent transactions.

Business impact

The company revealed that the data breach cost an estimated $90 million, which includes fraud losses as well as fines, costs associated with the investigation, charges from card networks and client aftercare. The company’s reputation also took a lot of damage, both from consumers and from clients within the payment card networks.

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited (“DTTL”), its global network of member firms, and their related entities. DTTL (also referred to as “Deloitte Global”) and each of its member firms and their affiliated entities are legally separate and independent entities. DTTL does not provide services to clients. Please see www.deloitte.com/about to learn more.